On 5-apr-2006, at 21:57, John C Klensin wrote:
they all had an
option to run with or without NAT. Many of them also have the
option to have a "bridge" mode allowing the customer to
provide their own router/firewall solution.
It is that "bridge" mode that is critical. As I indicated
above, neither the Linksys nor the Netgear devices provide it.
The SonicWall does, but raises other, unrelated, issues. I
carefully did not address any devices I haven't actually used.
That leaves us in a state in which it is necessary to handle
static public IP addresses by either
* running the ISP's interface device in bridge mode,
which many (although perhaps not all) ISPs prohibit
* running the router devices as one-one NATs
It occurs to me that there is nothing that prevents this exact same
issue from coming up in IPv6. Even with an unpronouncable number of
addresses, if you provide your own box that performs routing (which
is generally a requirement for any kind of firewalling), the ISP has
set up an address range to communicate with that box, and another
address range that it forwards to that box for use behind it.
I.e., if the ISP provides a CPE box under their control and I have my
own router/firewall, then I need a subnet between the two and at
least one more subnet on another port of my router/firewall where my
hosts reside. The first issue is that this makes getting a single /64
from the ISP useless, and the second issue is that either there needs
to be some manual configuration or there needs to be some kind of
address provisioning protocol to be run between the CPE and the
customer router/firewall, such as DHCPv6 prefix delegation.
(Note by the way that PPP can do address provisioning for a single
address in IPv4 but it can't do this for IPv6, making stuff like IPv6
over dial-up extremely hard to do.)
Ietf mailing list